Abstract
Our concern is the modular development of a certified static analyzer in the Coq proof assistant. We focus on the extension of the Verified Polyhedra Library—a certified abstract domain of convex polyhedra—with a linearization procedure to handle polynomial guards. Based on ring rewriting strategies and interval arithmetic, this procedure partitions the variable space to infer precise affine terms which over-approximate polynomials. In order to help formal development, we propose a proof framework, embedded in Coq, that implements a refinement calculus. It is dedicated to the certification of parts of the analyzer—like our linearization procedure—whose correctness does not depend on the implementation of the underlying certified abstract domain. Like standard refinement calculi, it introduces data-refinement diagrams. These diagrams relate “abstract states” computed by the analyzer to “concrete states” of the input program. However, our notions of “specification” and “implementation” are exchanged w.r.t. standard uses: the “specification” (computing on “concrete states”) refines the “implementation” (computing on “abstract states”). Our stepwise refinements of specifications hide several low-level aspects of the computations on abstract domains. In particular, they ignore that the latter may use hints from external untrusted imperative oracles (e.g. a linear programming solver). Moreover, refinement proofs are naturally simplified thanks to computations of weakest preconditions. Using our refinement calculus, we elegantly define our partitioning procedure with a continuation-passing style, thus avoiding an explicit datatype of partitions. This illustrates that our framework is convenient to prove the correctness of such higher-order imperative computations on abstract domains.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
There are several kinds of oracles in the VPL: those based on Farkas certificate for basic polyhedra computations; the linearization strategy in the linearization procedure; etc. In the Coq code, each of these oracles is declared as a “non-deterministic” function in parameter of the code (through an axiom). Here, “non-determinism” is formalized by requiring the results of such functions to inhabit a may-return monad. Section 4.1 recalls the axioms of may-return monads, initially proposed in [13].
Thus, we do not use our refinement calculus in a decompositional (i.e. “top-down”) approach, that builds an implementation by stepwise derivation from a specification. On the contrary, we use our refinement calculus in a compositional (i.e. “bottom-up”) approach, that builds larger “bricks” from smaller “bricks”.
Typically, C\(\sharp \)minor small-step semantics distinguishes infinite loops depending on whether they invoke system calls or not. But, by definition, an infinite loop cannot have runtime errors. Hence, all infinite loops are equivalent for Verasco analyzer. Even better, the analyzer can safely prune any control-flow branch where they appear, exactly like unreachable code.
Thus, the embedding of VPL in Verasco coerces its imperative operators into pure ones. Logically, this coercion remains to assume that VPL oracles are observationally pure. This is potentially wrong, because of potential bugs in these untrusted oracles [13].
Our toy analyzer does not infer loop invariants but requires them from the user. It does not seem too hard to extend our analyzer with inference of loop invariants since the VPL provides a standard (untrusted) widening operator. But, this feature is quite orthogonal to the certification of the analyzer itself. For example, Laporte [19] shows how to program such an untrusted oracle, in order to produce invariants checked by the certified analyzer.
A postcondition is thus in \({{{\mathcal {P}}}}(D\!\times \!D)\) instead of the original \({{{\mathcal {P}}}}(D)\): this standard generalization avoids introducing “auxiliary variables” to represent the input state.
However, in our algebra, \(\sqsubseteq \) corresponds to “refines”, whereas in standard refinement calculus it dually corresponds to “is refined by”. Actually, our convention follows lattice notations of abstract interpretation.
Formally, the status “no alarm is raised” is given by the boolean of our alarm writer monad.
A Kleene algebra is an idempotent (and thus partially ordered) semiring endowed with a closure operator. It generalizes the operations known from regular expressions: the set of regular expressions over an alphabet is a free Kleene algebra.
In Coq jargon, something is “informative” if it is “not a piece of proof” (thus, it remains at extraction).
References
Back, R.J., von Wright, J.: Refinement Calculus—A Systematic Introduction. Graduate Texts in Computer Science. Springer, Berlin (1999)
Besson, F., Jensen, T.P., Pichardie, D., Turpin, T.: Certified result checking for polyhedral analysis of bytecode programs. In: TGC, pp. 253–267 (2010)
Boulmé, S.: Intuitionistic refinement calculus. In: TLCA, LNCS, vol. 4583. Springer (2007)
Boulmé, S.: What is the foreign function interface of the coq programming language? Talk at the coq workshop (2018). https://coqworkshop2018.inria.fr/files/2018/07/coq2018_talk_boulme.pdf
Boulmé, S., Maréchal, A.: Refinement to certify abstract interpretations, illustrated on linearization for polyhedra. In: ITP, LNCS, vol. 9236. Springer (2015)
Boulmé, S., Maréchal, A.: Toward certification for free! Preprint on HAL (2017). https://hal.archives-ouvertes.fr/hal-01558252
Braibant, T., Pous, D.: Deciding kleene algebras in coq. Log. Methods Comput. Sci. 8(1) (2012)
Cousot, P.: Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. TCS 277(1–2), 47–103 (2002)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL. ACM (1977)
Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: POPL. ACM (1978)
Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)
Farouki, R.T.: The Bernstein polynomial basis: a centennial retrospective. Comput. Aided Geom. Des. 29(6), 379–419 (2012)
Fouilhé, A., Boulmé, S.: A certifying frontend for (sub)polyhedral abstract domains. In: VSTTE, LNCS, vol. 8471. Springer (2014)
Fouilhé, A., Monniaux, D., Périn, M.: Efficient generation of correctness certificates for the abstract domain of polyhedra. In: SAS, vol. 7935. Springer (2013)
Grégoire, B., Mahboubi, A.: Proving equalities in a commutative ring done right in Coq. In: TPHOL, LNCS, vol. 3604, pp. 98–113. Springer (2005)
Handelman, D.: Representing polynomials by positive linear functions on compact convex polyhedra. Pac. J. Math. 132(1), 35–62 (1988)
Jourdan, J.H.: Verasco: a formally verified C static analyzer. Theses, Universite Paris Diderot-Paris VII (2016). https://hal.archives-ouvertes.fr/tel-01327023
Jourdan, J.H., Laporte, V., Blazy, S., Leroy, X., Pichardie, D.: A formally-verified C static analyzer. In: POPL. ACM (2015)
Laporte, V.: Verified static analyzes for low-level languages. Theses, Université Rennes 1 (2015). https://tel.archives-ouvertes.fr/tel-01285624
Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107–115 (2009)
Liang, S., Hudak, P.: Modular denotational semantics for compiler construction. In: ESOP, vol. 1058, pp. 219–234. Springer (1996)
Maréchal, A.: New algorithmics for polyhedral calculus via parametric linear programming. Ph.D. thesis, Université Grenoble Alpes (2017)
Maréchal, A., Fouilhé, A., King, T., Monniaux, D., Périn, M.: Polyhedral approximation of multivariate polynomials using Handelman’s theorem. In: VMCAI, pp. 166–184 (2016)
Maréchal, A., Périn, M.: Three linearization techniques for multivariate polynomials in static analysis using convex polyhedra. Technical report TR-2014-7, Verimag research report (2014)
Mauborgne, L., Rival, X.: Trace partitioning in abstract interpretation based static analyzers. In: ESOP’05, LNCS, vol. 3444 (2005)
Miné, A.: Symbolic methods to enhance the precision of numerical abstract domains. In: VMCAI, LNCS, vol. 3855. Springer (2006)
Morgan, C.: Programming from Specifications. Prentice Hall International Series in Computer Science, 2nd edn. Prentice Hall, Upper Saddle River (1994)
Moscato, M.M., Muñoz, C.A., Smith, A.P.: Affine arithmetic and applications to real-number proving. In: ITP, LNCS, vol. 9236. Springer (2015)
Reynolds, J.C.: The discoveries of continuations. Lisp Symb. Comput. 6(3–4), 233–247 (1993)
Spiwack, A.: Abstract interpretation as anti-refinement. CoRR abs/1310.4283 (2013). http://arxiv.org/abs/1310.4283
The Coq Development Team: The Coq proof assistant reference manual—version 8.4. INRIA (2012–2014)
Wadler, P.: Monads for functional programming. In: AFP, LNCS, vol. 925. Springer (1995)
Acknowledgements
We thank Alexis Fouilhé, Michaël Périn, David Monniaux and the other members of the Verasco project for their continuous feedback all along this work.
Author information
Authors and Affiliations
Corresponding author
Additional information
This work was partially supported by French Agence Nationale de la Recherche under the VERASCO project (INS 2011) and by the European Research Council under the EU’s Seventh Framework Programme (FP/2007–2013)/ERC Grant Agreement No. 306595 “STATOR”
Rights and permissions
About this article
Cite this article
Boulmé, S., Maréchal, A. Refinement to Certify Abstract Interpretations: Illustrated on Linearization for Polyhedra. J Autom Reasoning 62, 505–530 (2019). https://doi.org/10.1007/s10817-018-9492-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10817-018-9492-2